Navigating the cloud for asset managers – Key regulatory and risk considerations
As Switzerland’s asset management industry cloud adoption progresses, the interplay between evolving data protection laws, outsourcing regulations, and cross-border data flows demands rigorous compliance strategies. This article highlights some key aspects to be taken into account when considering usage of cloud-based solutions.
 | Fedor Poskriakov Deputy Managing Partner, Head of Fintech, Lenz & Staehelin |
The Swiss asset management industry is at a crossroads, where the pressure on costs, the need to ever improve efficiency and the increasing amount of data and regulatory requirements pose challenges, but also offer opportunities for growth and efficiency. In this context, the practical reality is that many state-of-the-art software solutions and tools at the disposal of the industry are only available in cloud-based deployments, the implementation of which necessitates a careful and informed approach. The relevant data protection and regulatory requirements apply not only for full outsourcing scenarios, but already when using day-to-day solutions such as Microsoft 365.
1. Understanding the regulatory landscape
Swiss asset managers must navigate a complex regulatory environment when adopting cloud solutions. Key regulations include the Swiss Federal Act on Data Protection (DPA), as well as the regulatory requirements relating to outsourcing and risk management. In this context, even though the FINMA Circular 2018/3 - Outsourcing or the FINMA Circular 2023/1 – Risks and operational resilience – banks do not directly apply to all asset managers, the underlying principles should be taken into account to adopt the relevant strategies, policies and procedures as part of a robust risk-based approach.
1.1 Data protection and professional secrecy
One of the foremost concerns for asset managers is ensuring the protection of client data. The DPA mandate that personal data must be processed lawfully, transparently, and for a specific purpose. Further, all client data is subject to professional secrecy under the Swiss Financial Institutions Act ("FinIA")[1], which is equivalent to Swiss banking secrecy. In this respect, asset managers must implement robust data protection measures, including as the case may be encryption, pseudonymisation, and/or anonymisation, to safeguard client data.
In practice, mature domestic and foreign cloud solutions may be selected and used by Swiss asset managers, provided that the asset manager as a user carefully selects the service provider and takes effective measures to ensure that the data used in a cloud-based deployment is still protected. To ensure this on a continuing basis, the asset manager needs to understand how the data perimeter, as extended by the cloud solution, is protected.
1.2 Contractual considerations
When entering into agreements with cloud service providers, asset managers must ensure that the contracts address key regulatory requirements. In particular, contracts must include provisions for data security, audit rights, and the ability to control and monitor the cloud provider's compliance with data protection standards. Additionally, the contract should specify the locations where data will be stored and processed, ensuring compliance with Swiss data protection requirements.
1.3 Risk assessment and business continuity
Conducting a thorough risk assessment is crucial before adopting any cloud-based solutions (including obvious items such as Microsoft 365, Teams or other cloud-based video-conferencing solutions, and any other software which processes personal or client data and is not hosted in a private cloud or on premises environment). Asset managers should evaluate the potential risks associated with data breaches, cyber-attacks, and operational disruptions. Due diligence should include an assessment of the cloud or service provider's security measures, certifications such as ISO/IEC 27001, and their track record in handling data protection incidents.
In any event, detailed business continuity plans should be established and tested, including contingency plans for service interruptions, as well as ensuring that data backups are regularly performed and stored in secure, geographically diverse locations, and that there are clear procedures for data recovery in the event of a disaster. Asset managers need to be mindful that at least a copy of certain records (e.g., AML documentation) must be maintained in or be accessible at all times from Switzerland.
2. Practical considerations and recommendations
Without being exhaustive, below are some practical recommendations which should be considered when implementing a cloud-based solution, it being understood that each project has its specificities and needs to be reviewed and assessed on a case-by-case basis:
- establish an inventory of data processing activities, and identify those where data (in the general sense) is processed by a third party (incl. in any cloud-hosted environment), as well as whether any material outsourcing is involved;
- ensure that written agreements are in place with service providers, covering all necessary provisions for data security, audit rights, the ability to control and monitor the cloud provider's compliance with data protection standards, as well as data localization requirements;
- draw up a risk assessment and related mitigation measures, as well as business continuity and recovery plans and procedures;
- ensure that clients are adequately informed and, if necessary, consent to personal data being processed in a cloud-solution (e.g., general terms, specific contractual clauses, data protection policy and related disclosure information booklets).
This is only a high-level overview and additional requirements and recommendations should be considered, including those set out in the Swiss Banking Association (SBA) Cloud Guidelines[2] or in Microsoft's compliance checklist for Swiss financial institutions[3].
Of note, the above recommendations not only apply to large outsourcing or full cloud-migration projects, but to any usage of cloud-based solutions. As a practical example, a Swiss asset manager using Microsoft 365 should ensure that the relevant contractual framework is in place, including the Microsoft Customer Agreement (MCA), the Data Protection Addendum (DPA), the Amendment for Switzerland regarding the Data Protection Addendum, as well as the Financial Services Addendum, including a confirmation in writing entered into with the relevant Microsoft partner which provides the cloud-solution (so-called Cloud Solution Provider (CSP)).
Conclusion
Swiss asset managers using cloud-solutions should treat compliance as a dynamic framework, not a one-time check-the-box exercise. By integrating data protection assessments, FINMA’s risk-based approach to operational risks, and the SBA’s Cloud Guidelines — even where not directly applicable — asset managers can future-proof their cloud strategies while keeping their feet on the ground.
[1] See Article 69 FinIA.
[2] Swissbanking
Biography
Fedor Poskriakov is a deputy managing partner in Banking and Finance practice and he is based at the Geneva office of Lenz & Staehelin. His area of expertise lies in banking, securities, and finance law, with a particular focus on fintech. Fedor regularly provides advice on complex and novel regulatory, contractual, and corporate matters. His comprehensive experience, coupled with his skillful approach, enables him to provide valuable insights and strategic advice to clients. Fedor has also developed a specialized skill set in advising on new technologies, such as distributed ledger (blockchain), as well as novel fintech business models. Fedor is the co-head of FinTech practice at Lenz & Staehelin and serves as the Secretary-General of the Capital Markets and Technology Association (CMTA). Furthermore, Fedor is a frequent speaker on Swiss financial market regulation at both domestic and international events.